Autonomous System State Tolerance Adjustment for Autonomous Management Systems

ABSTRACT

In general, the techniques of this invention are directed to determining whether a component failure in a distributed computing system is genuine. In particular, embodiments of this invention analyze monitoring data from other application nodes in a distributed computing system to determine whether the component failure is genuine. If the component failure is not genuine, the embodiments may adjust a fault tolerance parameter that caused the component failure to be perceived.

TECHNICAL FIELD

This application claims the benefit of U.S. provisional Application Ser.No. 60/797,214, filed May 3, 2006, the entire content of which isincorporated herein by reference.

BACKGROUND

Distributed computing systems are increasingly being utilized to supportbusiness as well as technical applications. Typically, distributedcomputing systems are constructed from a collection of computing nodesthat combine to provide a set of processing services to implement thedistributed computing applications. Each of the computing nodes in thedistributed computing system is typically a separate, independentcomputing device interconnected with each of the other computing nodesvia a communications medium, e.g., a network.

One challenge with distributed computing systems is the organization,deployment and administration of such a system within an enterpriseenvironment. For example, it is often difficult to manage the allocationand deployment of enterprise computing functions within the distributedcomputing system. An enterprise, for example, often includes severalbusiness groups, and each group may have competing and variablecomputing requirements.

SUMMARY

In general, the techniques of this invention are directed to autonomicmanagement of autonomic management systems. In particular, theembodiments of this invention use a measure, analyze, and respond modelto autonomically manage one or more autonomic management systems. Byunderstanding specific state information of these autonomic managementsystems, embodiments of the invention may achieve optimal performancefor the autonomic management systems through operations monitoring,analyzing current system state against optimal state, and modifying theconfigurations or resources of the autonomic management systems.

For example, an autonomic management system may be a distributedcomputing system that conforms to a multi-level, hierarchicalorganizational model. One or more control nodes provide for theefficient and automated allocation and management of computing functionsand resources within the distributed computing system in accordance withthe organization model.

As described herein, the model includes four distinct levels: fabric,domains, tiers and nodes that provide for the logical abstraction andcontainment of the physical components as well as system and serviceapplication software of the enterprise. A user, such as a systemadministrator, interacts with the control nodes to logically define thehierarchical organization of the distributed computing system. Thecontrol nodes are responsible for all levels of management in accordancewith the model, including fabric management, domain creation, tiercreation and node allocation and deployment.

In one embodiment, a method comprises receiving monitoring data from aplurality of application nodes interconnected via a communicationnetwork. The method also includes receiving a failure notification froman autonomic management system when the autonomic management systemperceives a failure of a first application node based on a faulttolerance parameter. In addition, the method includes analyzing themonitoring data from all of the application nodes to determine whetherthe perceived failure of the first application node is genuine. Themethod also comprises adjusting the fault tolerance parameter when theperceived failure of the first application is not genuine.

In another embodiment, a distributed computing system comprises aplurality of application nodes interconnected via a communicationsnetwork. The system also comprises an autonomic management system toprovide autonomic control of the application nodes, wherein theautonomic management system monitors the application nodes to perceive afailure of a first node of the application nodes based on a faulttolerance parameter. In addition, the system includes a system statusmanager to adjust the fault tolerance parameter based on an analysis ofa state of all of the application nodes.

In another embodiment, a computer-readable medium comprisesinstructions. The instructions cause a processor to receive monitoringdata from a plurality of application nodes interconnected via acommunication network. The instructions also cause the processor toreceive a failure notification from an autonomic management system whenthe autonomic management system perceives a failure of a firstapplication node based on a fault tolerance parameter. In addition, theinstructions also the processor to analyze the monitoring data from allof the application nodes to determine whether the perceived failure ofthe first application node is genuine. The instructions further causethe processor to adjust the fault tolerance parameter when the perceivedfailure of the first application is not genuine.

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages of the invention will be apparent from thedescription and drawings, and from the claims.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram illustrating a distributed computing systemconstructed from a collection of computing nodes.

FIG. 2 is a schematic diagram illustrating an example of a model of anenterprise that logically defines an enterprise fabric.

FIG. 3 is a flow diagram that provides a high-level overview of theoperation of a control node when configuring the distributed computingsystem.

FIG. 4 is a flow diagram illustrating exemplary operation of the controlnode when assigning computing nodes to node slots of tiers.

FIG. 5 is a flow diagram illustrating exemplary operation of a controlnode when adding an additional computing node to a tier to meetadditional processing demands.

FIG. 6 is a flow diagram illustrating exemplary operation of a controlnode harvesting excess node capacity from one of the tiers and returningthe harvested computing node to the free pool.

FIG. 7 is a screen illustration of an exemplary user interface fordefining tiers in a particular domain.

FIG. 8 is a screen illustration of an exemplary user interface fordefining properties of the tiers.

FIG. 9 is a screen illustration of an exemplary user interface forviewing and identify properties of a computing node.

FIG. 10 is a screen illustration of an exemplary user interface forviewing software images.

FIG. 11 is a screen illustration of an exemplary user interface forviewing a hardware inventory report.

FIG. 12 is a screen illustration of an exemplary user interface forviewing discovered nodes that are located in the free pool.

FIG. 13 is a screen illustration of an exemplary user interface forviewing users of a distributed computing system.

FIG. 14 is a screen illustration of an exemplary user interface forviewing alerts for the distributed computing system.

FIG. 15 is a block diagram illustrating one embodiment of control nodethat includes a monitoring subsystem, a service level automationinfrastructure (SLAI), and a business logic tier (BLT).

FIG. 16 is a block diagram illustrating one embodiment of the monitoringsubsystem.

FIG. 17 is a block diagram illustrating one embodiment of the SLAI infurther detail.

FIG. 18 is a block diagram of an example working memory associated withrule engines of the SLAI.

FIG. 19 is a block diagram illustrating an example embodiment for theBLT of the control node.

FIG. 20 is a block diagram illustrating one embodiment of a rule enginein further detail.

FIG. 21 is a block diagram illustrating another example embodiment ofthe control node.

FIG. 22 is a flowchart illustrating an exemplary mode of initiating acontrol node utilizing an application matrix.

FIG. 23 is a block diagram illustrating an exemplary application matrix.

FIG. 24 is a block diagram illustrating an exemplary system thatautonomically manages a first distributed computing system and a seconddistributed computing system.

FIG. 25 is a block diagram illustrating an exemplary embodiment ofautonomic management system manager.

DETAILED DESCRIPTION

FIG. 1 is a block diagram illustrating a distributed computing system 10constructed from a collection of computing nodes. Distributed computingsystem 10 may be viewed as a collection of computing nodes operating incooperation with each other to provide distributed processing.

In the illustrated example, the collection of computing nodes formingdistributed computing system 10 are logically grouped within adiscovered pool 11, a free pool 13, an allocated tiers 15 and amaintenance pool 17. In addition, distributed computing system 10includes at least one control node 12.

Within distributed computing system 10, a computing node refers to thephysical computing device. The number of computing nodes needed withindistributed computing system 10 is dependent on the processingrequirements. For example, distributed computing system 10 may include 8to 512 computing nodes or more. Each computing node includes one or moreprogrammable processors for executing software instructions stored onone or more computer-readable media.

Discovered pool 11 includes a set of discovered nodes that have beenautomatically “discovered” within distributed computing system 10 bycontrol node 12. For example, control node 12 may monitor dynamic hostcommunication protocol (DHCP) leases to discover the connection of anode to network 18. Once detected, control node 12 automaticallyinventories the attributes for the discovered node and reassigns thediscovered node to free pool 13. The node attributes identified duringthe inventory process may include a CPU count, a CPU speed, an amount ofmemory (e.g., RAM), local disk characteristics or other computingresources. Control node 12 may also receive input identifying nodeattributes not detectable via the automatic inventory, such as whetherthe node includes I/O, such as HBA. Further details with respect to theautomated discovery and inventory processes are described in U.S. patentapplication Ser. No. 11/070,851, having attorney docket no.1072-009US01, entitled “AUTOMATED DISCOVERY AND INVENTORY OF NODESWITHIN AN AUTONOMIC DISTRIBUTED COMPUTING SYSTEM,” filed Mar. 2, 2005,the entire content of which is hereby incorporated by reference.

Free pool 13 includes a set of unallocated nodes that are available foruse within distributed computing system 10. Control node 12 maydynamically reallocate an unallocated node from free pool 13 toallocated tiers 15 as an application node 14. For example, control node12 may use unallocated nodes from free pool 13 to replace a failedapplication node 14 or to add an application node to allocated tiers 15to increase processing capacity of distributed computing system 10.

In general, allocated tiers 15 include one or more tiers of applicationnodes 14 that are currently providing a computing environment forexecution of user software applications. In addition, although notillustrated separately, application nodes 14 may include one or moreinput/output (I/O) nodes. Application nodes 14 typically have moresubstantial I/O capabilities than control node 12, and are typicallyconfigured with more computing resources (e.g., processors and memory).Maintenance pool 17 includes a set of nodes that either could not beinventoried or that failed and have been taken out of service fromallocated tiers 15.

Control node 12 provides the system support functions for managingdistributed computing system 10. More specifically, control node 12manages the roles of each computing node within distributed computingsystem 10 and the execution of software applications within thedistributed computing system. In general, distributed computing system10 includes at least one control node 12, but may utilize additionalcontrol nodes to assist with the management functions.

Other control nodes 12 (not shown in FIG. 1) are optional and may beassociated with a different subset of the computing nodes withindistributed computing system 10. Moreover, control node 12 may bereplicated to provide primary and backup administration functions,thereby allowing for graceful handling a failover in the event controlnode 12 fails.

Network 18 provides a communications interconnect for control node 12and application nodes 14, as well as discovered nodes, unallocated nodesand failed nodes. Communications network 18 permits internodecommunications among the computing nodes as the nodes performinterrelated operations and functions. Communications network 18 maycomprise, for example, direct connections between one or more of thecomputing nodes, one or more customer networks maintained by anenterprise, local area networks (LANs), wide area networks (WANs) or acombination thereof. Communications network 18 may include a number ofswitches, routers, firewalls, load balancers, and the like.

In one embodiment, each of the computing nodes within distributedcomputing system 10 executes a common general-purpose operating system.One example of a general-purpose operating system is the Windows™operating system provided by Microsoft Corporation. In some embodiments,the general-purpose operating system such as the Linux kernel may beused.

In the example of FIG. 1, control node 12 is responsible for softwareimage management. The term “software image” refers to a complete set ofsoftware loaded on an individual computing node to provide an executionenvironment for one or more applications. The software image includingthe operating system and all boot code, middleware files, and mayinclude application files. As described below embodiments of theinvention provide application-level autonomic control over thedeployment, execution and monitoring of applications onto softwareimages associated with application nodes 14.

System administrator 20 may interact with control node 12 and identifythe particular types of software images to be associated withapplication nodes 14. Alternatively, administration software executingon control node 12 may automatically identify the appropriate softwareimages to be deployed to application nodes 14 based on the inputreceived from system administrator 20. For example, control node 12 maydetermine the type of software image to load onto an application node 14based on the functions assigned to the node by system administrator 20.Application nodes 14 may be divided into a number of groups based ontheir assigned functionality. As one example, application nodes 14 maybe divided into a first group to provide web server functions, a secondgroup to provide business application functions and a third group toprovide database functions. The application nodes 14 of each group maybe associated with different software images.

Control node 12 provides for the efficient allocation and management ofthe various software images within distributed computing system 10. Insome embodiments, control node 12 generates a “golden image” for eachtype of software image that may be deployed on one or more ofapplication nodes 14. As described herein, the term “golden image”refers to a reference copy of a complete software stack for providing anexecution environment for applications.

System administrator 20 may create a golden image by installing anoperating system, middleware and software applications on a computingnode and then making a complete copy of the installed software. In thismanner, a golden image may be viewed as a “master copy” of the softwareimage for a particular computing function. Control node 12 maintains asoftware image repository 26 that stores the golden images associatedwith distributed computing system 10.

Control node 12 may create a copy of a golden image, referred to as an“image instance,” for each possible image instance that may be deployedwithin distributed computing system 10 for a similar computing function.In other words, control node 12 pre-generates a set of K image instancesfor a golden image, where K represents the maximum number of imageinstances for which distributed computing system 10 is configured forthe particular type of computing function. For a given computingfunction, control node 12 may create the complete set of image instanceeven if not all of the image instances will be initially deployed.Control node 12 creates different sets of image instances for differentcomputing functions, and each set may have a different number of imageinstances depending on the maximum number of image instances that may bedeployed for each set. Control node 12 stores the image instances withinsoftware image repository 26. Each image instance represents acollection of bits that may be deployed on an application node.

Further details of software image management are described in co-pendingU.S. patent application Ser. No. 11/046,133, entitled “MANAGEMENT OFSOFTWARE IMAGES FOR COMPUTING NODES OF A DISTRIBUTED COMPUTING SYSTEM,”filed Jan. 28, 2005 and co-pending U.S. patent application Ser. No.11/046,152, entitled “UPDATING SOFTWARE IMAGES ASSOCIATED WITH ADISTRIBUTED COMPUTING SYSTEM,” filed Jan. 28, 2005, each of which isincorporated herein by reference in its entirety.

In general, distributed computing system 10 conforms to a multi-level,hierarchical organizational model that includes four distinct levels:fabric, domains, tiers and nodes. Control node 12 is responsible for alllevels of management, including fabric management, domain creation, tiercreation and node allocation and deployment.

As used herein, the “fabric” level generally refers to the logicalconstructs that allow for definition, deployment, partitioning andmanagement of distinct enterprise applications. In other words, fabricrefers to the integrated set of hardware, system software andapplication software that can be “knitted” together to form a completeenterprise system. In general, the fabric level consists of twoelements: fabric components or fabric payload. Control node 12 providesfabric management and fabric services as described herein.

In contrast, a “domain” is a logical abstraction for containment andmanagement within the fabric. The domain provides a logical unit offabric allocation that enables the fabric to be partitioned amongstmultiple uses, e.g. different business services.

Domains are comprised of tiers, such as a 4-tier application model (webserver, application server, business logic, persistence layer) or asingle tier monolithic application. Fabric domains contain the free poolof devices available for assignment to tiers.

A tier is a logically associated group of fabric components within adomain that share a set of attributes: usage, availability model orbusiness service mission. Tiers are used to define structure within adomain e.g. N-tier application, and each tier represents a differentcomputing function. A user, such as administrator 20, typically definesthe tier structure within a domain. The hierarchical architecture mayprovide a high degree of flexibility in mapping customer applications tological models which run within the fabric environment. The tier is oneconstruct in this modeling process and is the logical container ofapplication resources.

The lowest level, the node level, includes the physical components ofthe fabric. This includes computing nodes that, as described above,provide operating environments for system applications and enterprisesoftware applications. In addition, the node level may include networkdevices (e.g., Ethernet switches, load balancers and firewalls) used increating the infrastructure of network 18. The node level may furtherinclude network storage nodes that are network connected to the fabric.

System administrator 20 accesses administration software executing oncontrol node 12 to logically define the hierarchical organization ofdistributed computing system 10. For example, system administrator 20may provide organizational data 21 to develop a model for the enterpriseand logically define the enterprise fabric. System administrator 20 may,for instance, develop a model for the enterprise that includes a numberof domains, tiers, and node slots hierarchically arranged within asingle enterprise fabric.

More specifically, system administrator 20 defines one or more domainsthat each correspond to a single enterprise application or service, suchas a customer relation management (CRM) service. System administrator 20further defines one or more tiers within each domain that represent thefunctional subcomponents of applications and services provided by thedomain. As an example, system administrator 20 may define a storefrontdomain within the enterprise fabric that includes a web tier, anapplication tier and a database tier. In this manner, distributedcomputing system 10 may be configured to automatically provide webserver functions, business application functions and database functions.

For each of the tiers, control node 12 creates a number of “node slots”equal to the maximum number of application nodes 14 that may bedeployed. In general, each node slot represents a data set thatdescribes specific information for a corresponding node, such assoftware resources for a physical node that is assigned to the nodeslot. The node slots may, for instance, identify a particular softwareimage instance associated with an application node 14 as well as anetwork address associated with that particular image instance.

In this manner, each of the tiers include one or more node slots thatreference particular software image instances to boot on the applicationnodes 14 to which each software image instance is assigned. Theapplication nodes 14 to which control node 12 assigns the imageinstances temporarily inherit the network address assigned to the imageinstance for as long as the image instance is deployed on thatparticular application node. If for some reason the image instance ismoved to a different application node 14, control node 12A moves thenetwork address to that new application node.

System administrator 20 may further define specific node requirementsfor each tier of the fabric. For example, the node requirementsspecified by system administrator 20 may include a central processingunit (CPU) count, a CPU speed, an amount of memory (e.g., RAM), localdisk characteristics and other hardware characteristics that may bedetected on the individual computing nodes. System administrator 20 mayalso specify user-defined hardware attributes of the computing nodes,such as whether I/O (like HBA) is required. The user-defined hardwareattributes are typically not capable of detection during an automaticinventory. In this manner, system administrator 20 creates a list ofattributes that the tier requires of its candidate computing nodes. Inaddition, particular node requirements may be defined for software imageinstances.

In addition to the node requirements described above, systemadministrator 20 may further define policies that are used whenre-provisioning computing nodes within the fabric. System administrator20 may define policies regarding tier characteristics, such as a minimumnumber of nodes a tier requires, an indication of whether or not afailed node is dynamically replaced by a node from free pool 13, apriority for each tier relative to other tiers, an indication of whetheror not a tier allows nodes to be re-provisioned to other tiers tosatisfy processing requirements by other tiers of a higher priority orother policies. Control node 12 uses the policy information input bysystem administrator 20 to re-provision computing nodes to meet tierprocessing capacity demands.

After receiving input from system administrator 20 defining thearchitecture and policy of the enterprise fabric, control node 12identifies unallocated nodes within free pool 13 that satisfy requirednode attributes. Control node 12 automatically assigns unallocated nodesfrom free pool 13 to respective tier node slots of a tier. As will bedescribed in detail herein, in one embodiment, control node 12 mayassign computing nodes to the tiers in a “best fit” fashion.Particularly, control node 12 assigns computing nodes to the tier whosenode attributes most closely match the node requirements of the tier asdefined by administrator 20. The assignment of the computing nodes mayoccur on a tier-by-tier basis beginning with a tier with the highestpriority and ending with a tier with the lowest priority. Alternatively,or in addition, assignment of computing nodes may be based ondependencies defined between tiers.

As will be described in detail below, control node 12 may automaticallyadd unallocated nodes from free pool 13 to a tier when more processingcapacity is needed within the tier, remove nodes from a tier to the freepool when the tier has excess capacity, transfer nodes from tier to tierto meet processing demands, or replace failed nodes with nodes from thefree pool. Thus, computing resources, i.e., computing nodes, may beautomatically shared between tiers and domains within the fabric basedon user-defined policies to dynamically address high-processing demands,failures and other events.

FIG. 2 is a schematic diagram illustrating an example embodiment oforganizational data 21 that defines a model logically representing anenterprise fabric in accordance with the invention. In the exampleillustrated in FIG. 2, control node 12 (FIG. 1) maintains organizationaldata 21 to define a simple e-commerce fabric 32.

In this example, e-commerce fabric 32 includes a storefront domain 34Aand a financial planning domain 34B. Storefront domain 34A correspondsto the enterprise storefront domain and allows customers to find andpurchase products over a network, such as the Internet. Financialplanning domain 34B allows one or more employees to perform financialplanning tasks for the enterprise.

Tier level 31C includes one or more tiers within each domain thatrepresent the functional subcomponents of applications and servicesprovided by the domain. For example, storefront domain 34A includes aweb server tier (labeled “web tier”) 36A, a business application tier(labeled “app tier”) 36B, and a database tier (labeled “DB tier”) 36C.Web server tier 36A, business application tier 36B and database tier 36Cinteract with one another to present a customer with an onlinestorefront application and services. For example, the customer mayinteract with web server tier 36A via a web browser. When the customersearches for a product, web server tier 36A may interacts with businessapplication tier 36B, which may in turn access a database tier 36C.Similarly, financial planning domain 34B includes a financial planningtier 36D that provides subcomponents of applications and services of thefinancial planning domain 34B. Thus, in this example, a domain mayinclude a single tier.

Tier level 31D includes one or more logical node slots 38A-38H (“nodeslots 38”) within each of the tiers. Each of node slots 38 include nodespecific information, such as software resources for an application node14 that is assigned to a respective one of the node slots 38. Node slots38 may, for instance, identify particular software image instanceswithin image repository 26 and map the identified software imageinstances to respective application nodes 14. As an example, node slots38A and 38B belonging to web server tier 36A may reference particularsoftware image instances used to boot two application nodes 14 toprovide web server functions. Similarly, the other node slots 38 mayreference software image instances to provide business applicationfunctions, database functions, or financial application functionsdepending upon the tier to which the node slots are logicallyassociated.

Although in the example of FIG. 2, there are two node slots 38corresponding to each tier, the tiers may include any number of nodeslots depending on the processing capacity needed on the tier.Furthermore, not all of node slots 38 may be currently assigned to anapplication node 14. For example, node slot 28B may be associated withan inactive software image instance and, when needed, may be assigned toan application node 14 for deployment of the software image instance.

In this example, organizational data 21 associates free node pool 13with the highest-level of the model, i.e., e-commerce fabric 32. Asdescribed above, control node 12 may automatically assign unallocatednodes from free node pool 13 to at least a portion of tier node slots 38of tiers 36 as needed using the “best fit” algorithm described above oranother algorithm. Additionally, control node 12 may also add nodes fromfree pool 13 to a tier when more processing capacity is needed withinthe tier, remove nodes from a tier to free pool 13 when a tier hasexcess capacity, transfer nodes from tier to tier to meet processingdemands, and replace failed nodes with nodes from the free tier.

Although not illustrated, the model for the enterprise fabric mayinclude multiple free node pools. For example, the model may associatefree node pools with individual domains at the domain level or withindividual tier levels. In this manner, administrator 20 may definepolicies for the model such that unallocated computing nodes of freenode pools associated with domains or tiers may only be used within thedomain or tier to which they are assigned. In this manner, a portion ofthe computing nodes may be shared between domains of the entire fabricwhile other computing nodes may be restricted to particular domains ortiers.

FIG. 3 is a flow diagram that provides a high-level overview of theoperation of control node 12 when configuring distributed computingsystem 10. Initially, control node 12 receives input from a systemadministrator defining the hierarchical organization of distributedcomputing system 10 (50). In one example, control node 12 receives inputthat defines a model that specifies a number of hierarchically arrangednodes as described in detail in FIG. 2. Particularly, the definedarchitecture of distributed computing system 10 includes an overallfabric having a number of hierarchically arranged domains, tiers andnode slots.

During this process, control node 12 may receive input specifying noderequirements of each of the tiers of the hierarchical model (52). Asdescribed above, administrator 20 may specify a list of attributes,e.g., a central processing unit (CPU) count, a CPU speed, an amount ofmemory (e.g., RAM), or local disk characteristics, that the tiersrequire of their candidate computing nodes. In addition, control node 12may further receive user-defined custom attributes, such as requiringthe node to have I/O, such as HBA connectivity. The node requirements orattributes defined by system administrator 20 may each include a nameused to identify the characteristic, a data type (e.g., integer, long,float or string), and a weight to define the importance of therequirement.

Control node 12 identifies the attributes for all candidate computingnodes within free pool 13 or a lower priority tier (54). As describedabove, control node 12 may have already discovered the computing nodesand inventoried the candidate computing nodes to identify hardwarecharacteristics of all candidate computing nodes. Additionally, controlnode 12 may receive input from system administrator 20 identifyingspecialized capabilities of one or more computing nodes that are notdetectable by the inventory process.

Control node 12 dynamically assigns computing nodes to the node slots ofeach tier based on the node requirements specified for the tiers and theidentified node attributes (56). Population of the node slots of thetier may be performed on a tier-by-tier basis beginning with the tierwith the highest priority, i.e., the tier with the highest weightassigned to it. As will be described in detail, in one embodiment,control node 12 may populate the node slots of the tiers with thecomputing nodes that have attributes that most closely match the noderequirements of the particular tiers. Thus, the computing nodes may beassigned using a “best fit” algorithm.

FIG. 4 is a flow diagram illustrating exemplary operation of controlnode 12 when assigning computing nodes to node slots of tiers.Initially, control node 12 selects a tier to enable (60). As describedabove, control node 12 may select the tier based on a weight or priorityassigned to the tier by administrator 20. Control node 12 may, forexample, initially select the tier with the highest priority andsuccessively enable the tiers based on priority.

Next, control node 12 retrieves the node requirements associated withthe selected tier (62). Control node 12 may, for example, maintain adatabase having entries for each node slot, where the entries identifythe node requirements for each of the tiers. Control node 12 retrievesthe node requirements for the selected tier from the database.

In addition, control node 12 accesses the database and retrieves thecomputing node attributes of one of the unallocated computing nodes offree pool 13. Control node 12 compares the node requirements of the tierto the node attributes of the selected computing node (64).

Based on the comparison, control node 12 determines whether the nodeattributes of the computing node meets the minimum node requirements ofthe tier (66). If the node attributes of the selected computing node donot meet the minimum node requirements of the tier, then the computingnode is removed from the list of candidate nodes for this particulartier (68). Control node 12 repeats the process by retrieving the nodeattributes of another of the computing nodes of the free pool andcompares the node requirements of the tier to the node attributes of thecomputing node.

If the node attributes of the selected computing node meet the minimumnode requirements of the tier (YES of 66), control node 12 determineswhether the node attributes are an exact match to the node requirementsof the tier (70). If the node attributes of the selected computing nodeand the node requirements of the tier are a perfect match (YES of 70),the computing node is immediately assigned from the free pool to a nodeslot of the tier and the image instance for the slot is associated withthe computing node for deployment (72).

Control node 12 then determines whether the node count for the tier ismet (74). Control node 12 may, for example, determine whether the tieris assigned the minimum number of nodes necessary to provide adequateprocessing capabilities. In another example, control node 12 maydetermine whether the tier is assigned the ideal number of nodes definedby system administrator 20. When the node count for the tier is met,control node 12 selects the next tier to enable, e.g., the tier with thenext largest priority, and repeats the process until all defined tiersare enabled, i.e., populated with application nodes (60).

If the node attributes of the selected computing node and the noderequirements of the tier are not a perfect match control node 12calculates and records a “processing energy” of the node (76). As usedherein, the term “processing energy” refers to a numericalrepresentation of the difference between the node attributes of aselected node and the node requirements of the tier. A positiveprocessing energy indicates the node attributes more than satisfy thenode requirements of the tier. The magnitude of the processing energyrepresents the degree to which the node requirements exceed the tierrequirements.

After computing and recording the processing energy of the nodes,control node 12 determines whether there are more candidate nodes infree pool 13 (78). If there are additional candidate nodes, control node12 repeats the process by retrieving the computing node attributes ofanother one of the computing nodes of the free pool of computing nodesand comparing the node requirements of the tier to the node attributesof the computing node (64).

When all of the candidate computing nodes in the free pool have beenexamined, control node 12 selects the candidate computing node havingthe minimum positive processing energy and assigns the selectedcomputing node to a node slot of the tier (80). Control node 12determines whether the minimum node count for the tier is met (82). Ifthe minimum node count for the tier has not been met, control node 12assigns the computing node with the next lowest calculated processingenergy to the tier (80). Control node 12 repeats this process until thenode count is met. At this point, control node 12 selects the next tierto enable, e.g., the tier with the next largest priority (60).

In the event there are an insufficient number of computing nodes in freepool 13, or an insufficient number of computing nodes that meet the tierrequirements, control node 12 notifies system administrator 20. Systemadministrator 20 may add more nodes to free pool 13, add more capablenodes to the free pool, reduce the node requirements of the tier so moreof the unallocated nodes meet the requirements, or reduce the configuredminimum node counts for the tiers.

FIG. 5 is a flow diagram illustrating exemplary operation of controlnode 12 when adding an additional computing node to a tier to meetincreased processing demands. Initially, control node 12 or systemadministrator 20 identifies a need for additional processing capacity onone of the tiers (90). Control node 12 may, for example, identify a highprocessing load on the tier or receive input from a system administratoridentifying the need for additional processing capacity on the tier.

Control node 12 then determines whether there are any computing nodes inthe free pool of nodes that meet the minimum node requirements of thetier (92). When there are one or more nodes that meet the minimum noderequirements of the tier, control node 12 selects the node from the freepool based the node requirements of the tier, as described above, (94)and assigns the node to the tier (95). As described in detail withrespect to FIG. 4, control node 12 may determine whether there are anynodes that have node attributes that are an exact match to the noderequirements of the tier. If an exact match is found, the correspondingcomputing node is assigned to a node slot of the tier. If no exact matchis found, control node 12 computes the processing energy for each nodeand assigns the computing node with the minimum processing energy to thetier. Control node 12 remotely powers on the assigned node and remotelyboots the node with the image instance associated with the node slot.Additionally, the booted computing node inherits the network addressassociated with the node slot.

If there are no adequate computing nodes in the free pool, i.e., nonodes at all or no nodes that match the minimal node requirements of thetier, control node 12 identifies the tiers with a lower priority thanthe tier needing more processing capacity (96).

Control node 12 determines which of the nodes of the lower prioritytiers meet the minimum requirements of the tier in need of processingcapacity (98). Control node 12 may, for example, compare the attributesof each of the nodes assigned to node slots of the lower priority tiersto the node requirements of the tier in need of processing capacity.Lower priority tiers that have the minimum number of computing nodes maybe removed from possible tiers from which to harvest an applicationnode. If, however, all the lower priority tiers have the minimum numberof computing nodes defined for the respective tier, the lowest prioritytier is selected from which to harvest the one or more nodes.

Control node 12 calculates the processing energy of each of the nodes ofthe lower priority tiers that meet the minimum requirements (100). Theenergies of the nodes are calculated using the differences between thenode attributes and the node requirements of the tier needing additionalcapacity. Control node 12 selects the computing node with the lowestprocessing energy that meets the minimum requirements, and assigns theselected computing node to the tier in need of processing capacity (102,95).

FIG. 6 is a flow diagram illustrating exemplary operation of controlnode 12 when harvesting excess node capacity from one of the tiers andreturning the harvested computing node to free pool 13. Initially,control node 12 identifies a tier having excess node capacity (110).Control node 12 may, for example, periodically check the node capacityof the tiers to identify any tiers having excess node capacity.Performing a periodic check and removal of excess nodes increases thelikelihood that a capable computing node will be in free pool 13 in theevent one of the tiers needs additional node capacity.

When harvesting a node, control node 12 calculates the processing energyof all the nodes in the tier as described above with reference to FIG. 4(112). Control node 12 identifies the node within the tier with thehighest processing energy and returns the identified node to the freepool of nodes (114, 116). As described above, the node with the highestprocessing energy corresponds to the node whose node attributes are themost in excess of the node requirements of the tier.

Returning the node to the free pool may involve remotely powering offthe computing node and updating the database to associate the harvestednode with free pool 13. In addition, control node 12 updates thedatabase to disassociate the returned node with the node slot to whichit was assigned. At this point, the node no longer uses the networkaddress associated with the image instance mapped to the node slot.Control node 12 may, therefore, assign a temporary network address tothe node while the node is assigned to free pool 13.

FIG. 7 is a screen illustration of an exemplary user interface 120presented by control node 12 with which administrator 20 interacts todefine tiers for a particular domain. In the example illustrated in FIG.7, system administrator 20 has selected the “Collage Domain.” Userinterface 120 presents the tiers that are currently in the selecteddomain. In the example illustrated, the Collage Domain includes threetiers, “test tier 1,” “test tier 2,” and “test tier 3.” As shown in FIG.7, in this example, each of the tiers includes two nodes. In addition,user interface 120 lists the type of software image currently deployedto application nodes for each of the tiers. In the example illustrated,image “applone (1.0.0)” is deployed to the nodes of test tier 1 andimage “appltwo (1.0.0)” is deployed to the nodes of test tier 2. Systemadministrator 20 may add one or more tiers to the domain by clicking onnew tier button 122.

FIG. 8 is a screen illustration of an exemplary user interface 130 fordefining properties of the tiers. In particular, user interface 130allows system administrator 20 to input a name for the tier, adescription of the tier, and an image associated with the tier. Theimage associated with the tier refers to a golden image from which imageinstances are generated and deployed to the nodes assigned to the tier.

When configuring a tier, system administrator 20 may elect to activateemail alerts. For example, system administrator 20 may activate theemail alerts feature in order to receive email alerts providing systemadministrator 20 with critical and/or non-critical tier information,such as a notification that a tier has been upgraded, a node of the tierhas failed or the like. Furthermore, system administrator 20 may inputvarious policies, such node failure rules. For example, systemadministrator 20 may identify whether control node 12 should reboot anode in case of failure or whether the failed node should automaticallybe moved to maintenance pool 17. Similarly, system administrator 20 mayidentify whether nodes assigned to the tier may be harvested by othertiers.

User interface 130 may also allow system administrator 20 to input noderequirements of a tier. In order to input node requirements of a tier,system administrator 20 may click on the “Requirements” tab 132, causinguser interface 130 to present an input area to particular noderequirements of the tier.

FIG. 9 is a screen illustration of an exemplary user interface 140 forviewing and identifying properties of a computing node. User interface140 allows system administrator 20 to define a name, description, andlocation (including a rack and slot) of a computing node. In additionuser interface 140 may specify user-defined properties of a node, suchas whether the computing node has I/O HBA capabilities.

User interface 140 also displays properties that control node 12 hasidentified during the computing node inventory process. In this example,user interface 140 presents system administrator 20 with the a CPU nodecount, a CPU speed, the amount of RAM, the disk size and othercharacteristics that are identifiable during the automated nodeinventory. User interface 140 additionally presents interfaceinformation to system administrator 20. Specifically, user interface 140provides system administrator 20 with a list of components and theirassociated IP and MAC addresses.

User interface 140 also allows system administrator 20 to define othercustom requirements. For example, system administrator 20 may define oneor more attributes and add those attributes to the list of nodeattributes presented to system administrator 20.

FIG. 10 is a screen illustration of an exemplary user interface 150 forviewing software images. User interface 150 presents to a systemadministrator or another user a list of images maintained by controlnode 12 within image repository 26. The image list further includes thestatus of each image (i.e., either active or inactive), the version ofthe image, the operating system on which the image should be run, theoperating system version on which the image should be run and a briefdescription of the image.

System administrator 20 or another user may select an image by clickingon the box in front of the image identifier/name and perform one or moreactions on the image. Actions that system administrator 20 may performon an image include deleting the image, updating the image, and thelike. System administrator 20 may select one of the image actions viadropdown menu 152. In some embodiments, user interface 150 may furtherdisplay other details about the images such as the node to which theimages are assigned (if the node status is “active”), the networkaddress associated with the images and the like.

FIG. 11 is a screen illustration of an exemplary user interface 160 forviewing a hardware inventory report. User interface 160 presents tosystem administrator 20 or another user a list of the nodes that arecurrently assigned to a domain. System administrator 20 may elect toview the nodes for the entire domain, for a single tier within thedomain or for a single rack within a tier.

For each node, user interface 160 presents a node ID, a status of thenode, the tier to which the node belongs, a hostname associated with thenode, a NIC IP address, a rack location, a slot location, the number ofCPU's of the node, the amount of RAM on the node, the number of disks onthe node, whether the node has I/O HBA, and the number of NICs of thenode.

System administrator 20 or other user may select a node by clicking onthe box in front of the node identifier/name and perform one or moreactions on the node. Actions that system administrator 20 may perform onthe node include deleting the node, updating the node attributes orother properties of the node, and the like. System administrator 20 mayselect one of the node actions via dropdown menu 162.

FIG. 12 is a screen illustration of an exemplary user interface 170 forviewing discovered nodes that are located in discovered pool 11. Foreach node, user interface 170 presents a node ID, a state of the node, aNIC IP address, a rack location, a slot location, the number of CPU's ofthe node, the amount of RAM on the node, the number of disks on thenode, whether the node has I/O HBA, and the number of NICs of the node.

FIG. 13 is a screen illustration of an exemplary user interface 180 forviewing users of distributed computing system 10. User interface 180presents a list of users as well as the role assigned to each of theusers and the status of each of the users. Thus, system administrator 20may define different roles to each of the users. For example, a user maybe either an operator (i.e., general user) or an administrator. Systemadministrator 20 may add a new user to the list of users by clicking onthe “New User” button 182.

FIG. 14 is a screen illustration of an exemplary user interface 190 forviewing alerts for distributed computing system 10. For each of thealerts, user interface 190 identifies the severity of the alert, whetherthe alert has been acknowledged, an object associated with the alert, anevent associated with the alert, a state of the alert, a user associatedwith the alert and a date associated with the alert.

System administrator 20 or other user may select an alert by clicking onthe box in front of the logged alert and perform one or more actions onthe logged alert. Actions that system administrator 20 may performinclude deleting the alert, changing the status of the alert, or thelike. System administrator 20 may specify the log actions via dropdownmenu 192.

FIG. 15 is a block diagram illustrating one embodiment of control node12 in further detail. In the illustrated example, control node 12includes a monitoring subsystem 202, a service level automationinfrastructure (SLAI) 204, and a business logic tier (BLT) 206.

Monitoring subsystem 202 provides real-time monitoring of thedistributed computing system 10. In particular, monitoring subsystem 202dynamically collects status data 203 from the hardware and softwareoperating within distributed computing system 10, and feeds the statusdata in the form of monitor inputs 208 to SLAI 204. Monitoring inputs208 may be viewed as representing the actual state of the fabric definedfor the organizational model implemented by distributed computing system10. Monitoring subsystem 202 may utilize well defined interfaces, e.g.,the Simple Network Management Protocol (SNMP) and the Java ManagementExtensions (JMX), to collect and export real-time monitoring informationto SLAI 204.

SLAI 204 may be viewed as an automation subsystem that provides supportfor autonomic computing and acts as a central nervous system for thecontrolled fabric. In general, SLAI 204 receives monitoring inputs 208from monitoring subsystem 202, analyzes the inputs and outputsappropriate action requests 212 to BLT 206. In one embodiment, SLAI 204is a cybernetic system that controls the defined fabric via feedbackloops. More specifically, administrator 20 may interact with BLT 206 todefine an expected state 210 for the fabric. BLT 206 communicatesexpected state 210 to SLAI 204. SLAI 204 receives the monitoring inputsfrom monitoring subsystem 202 and applies rules to determine the mosteffective way of reducing the differences between the expected andactual states for the fabric.

For example, SLAI 204 may apply a rule to determine that a node within ahigh priority tier has failed and that the node should be replaced byharvesting a node from a lower priority tier. In this example, SLAI 204outputs an action request 212 to invoke BLT 206 to move a node from onetier to the other.

In general, BLT 206 implements high-level business operations onfabrics, domains and tiers. SLAI 204 invokes BLT 206 to bring the actualstate of the fabric into accordance with the expected state. Inparticular, BLT 206 outputs fabric actions 207 to perform the physicalfabric changes. In addition, BLT 206 outputs an initial expected state210 to SLAI 204 and initial monitoring information 214 to SLAI 204 andmonitoring subsystem 202, respectively. In addition, BLT 206 outputsnotifications 211 to SLAI 204 and monitoring subsystem 202 to indicatethe state and monitoring changes to distributed computing system 10. Asone example, BLT 206 may provide control operations that can be used toreplace failed nodes. For example, BLT 206 may output an action requestindicating that a node having address 10.10.10.10 has been removed fromtier ABC and a node having address 10.10.10.11 has been added to tierXYZ. In response, monitoring subsystem 202 stops attempting to collectstatus data 203 from node 10.10.10.10 and starts monitoring for statusdata from node 10.10.10.11. In addition, SLAI 204 updates an internalmodel to automatically associate monitoring inputs from node 10.10.10.11with tier XYZ.

FIG. 16 is a block diagram illustrating one embodiment of monitoringsubsystem 202. In general, monitoring subsystem 202 dynamically detectsand monitors a variety of hardware and software components within thefabric. For example, monitoring subsystem 202 identifies, in a timelyand efficient manner, any computing nodes that have failed, i.e., anynode that does not respond to a request to a known service. Moregenerally, monitoring subsystem 202 provides a concise, consistent andconstantly updating view of the components of the fabric.

As described further below, monitoring subsystem 202 employs a modulararchitecture that allows new detection and monitoring collectors 224 tobe “plugged-in” for existing and new protocols and for existing and newhardware and software. As illustrated in FIG. 16, monitoring subsystem202 provides a plug-in architecture that allows different informationcollectors 224 to be installed. In general, collectors 224 areresponsible for protocol-specific collection of monitoring information.The plug-in architecture allows for new protocols to be added by simplyadhering to a collector plug-in signature. In this example, monitoringsubsystem 202 includes collectors 224A and 224B for collectinginformation from operating systems and applications executing on nodeswithin tier A and tier B, respectively.

In one embodiment, collectors 224 are loaded at startup of control node12 and are configured with information retrieved from BLT 206.Monitoring engine 222 receives collection requests from SLAI 204, sortsand prioritizes the requests, and invokes the appropriate one ofcollectors 224 based on the protocol specified in the collectionrequests. The invoked collector is responsible for collecting therequired status data and returning the status data to monitoring engine222. If the collector is unable to collect the requested status data,the collector returns an error code.

In one embodiment, collectors 224 are Java code compiled into a jar fileand loaded with a class loader at run time. Each of collectors 224 hasan associated configuration file written in a data description language,such as the extensible markup language (XML). In addition, a user mayinteract with BLT 206 to add run-time configuration to dynamicallyconfigure collectors 224 for specific computing environments. Each ofcollectors 224 expose an application programming interface (API) tomonitoring engine 222 for communication and data exchange.

A user, such as a system administrator, specifies the protocol orprotocols to be used for monitoring a software image when the image iscreated. In addition, the users may specify the protocols to be used formonitoring the nodes and each service executing on the nodes. Exampleprotocols supported by the collectors 224 include Secure Shell (SSH),Simple Network Management Protocol (SNMP), Internet Control MessageProtocol (ICMP) ping, Java Management Extensions (JMX) and the HypertextTransfer Protocol (HTTP).

Some protocols require special privileges, e.g., root privileges, toperform the required data collection. In this case, the correspondingcollectors 224 communicate with a separate process that executes as theroot. Moreover, some protocols may require deployment and/orconfiguration of data providers within the fabric. Software agents may,for example, be installed and configured on nodes and configured onother hardware. If needed, custom in-fabric components may be deployed.

In this example, the modular architecture of monitoring subsystem 202also supports one or more plug-in interfaces 220 for data collectionfrom a wide range of third-party monitoring systems 228. Third-partymonitoring systems 228 monitor portions of the fabric and may bevendor-specific.

FIG. 17 is a block diagram illustrating one embodiment of SLAI 204 infurther detail. In the illustrated embodiment, SLAI 204 is composed ofthree subsystems: a sensor subsystem 240, an analysis subsystem 244 andan effector subsystem 248.

In general, sensor subsystem 240 receives actual state data frommonitoring subsystem 202 in the form of monitoring inputs 208 andsupplies ongoing, dynamic input data to analysis subsystem 244. Forexample, sensor subsystem 240 is notified of physical changes todistributed computing system 10 by monitoring subsystem 202. Sensorsubsystem 240 uses the state data received from monitoring subsystem 202to maintain ongoing, calculated values that can be sent to analysissubsystem 244 in accordance with scheduler 242.

In one embodiment, sensor subsystem 240 performs time-based hierarchicaldata aggregation of the actual state data in accordance with the definedorganization model. Sensor subsystem 240 maintains organizational datain a tree-like structure that reflects the current configuration of thehierarchical organization model. Sensor subsystem 240 uses theorganizational data to perform the real-time data aggregation and maptiers and domains to specific nodes. Sensor subsystem 240 maintains theorganizational data based on notifications 211 received from BLT 206.

Sensor subsystem 240 sends inputs to analysis subsystem 244 tocommunicate the aggregated data on a periodic or event-driven basis.Analysis subsystem 244 may register an interest in a particularaggregated data value with sensor subsystem 240 and request updates at aspecified frequency. In response, sensor subsystem 240 interacts withmonitoring subsystem 202 and scheduler 242 to generate the aggregateddata required by analysis subsystem 244.

Sensor subsystem 240 performs arbitrary data aggregations via instancesof plug-in classes (referred to as “triggers”) that define theaggregations. Each trigger is registered under a compound name based onthe entity being monitored and the type of data being gathered. Forexample, a trigger may be defined to aggregate and compute an averagecomputing load for a tier every five minutes. Analysis subsystem 244requests the aggregated data based on the registered names. In someembodiments, analysis subsystem 244 may define calculations directly andpass them to sensor subsystem 240 dynamically.

Analysis subsystem 244 is composed of a plurality of forward chainingrule engines 246A-246N. In general, rule engines 246 match patterns in acombination of configuration data and monitoring data, which ispresented by extraction agent 251 in the form of events. Events containthe aggregated data values that are sent to rule engines 246 inaccordance with scheduler 242.

Sensor subsystem 240 may interact with analysis subsystem 244 viatrigger listeners 247 that receives updates from a trigger within sensorsubsystem 240 when specified events occur. An event may be based onsystem state (e.g., a node transitioning to an up or down state) or maybe time based.

Analysis subsystem 244 allows rule sets to be loaded in source form andcompiled at load time into discrimination networks. Each rule setspecifies trigger-delivered attributes. Upon loading the rule sets,analysis subsystem 244 establishes trigger listeners 247 to receivesensor notifications and update respective working memories of ruleengines 246. As illustrated in FIG. 17, each of rule engines 246 mayserve a different tier defined within the fabric. Alternatively,multiple rule engines 246 may serve a single tier or a single ruleengine may serve multiple tiers.

Rule engines 246 process the events and invoke action requests via callsto effector subsystem 248. In addition, rule engines 246 provide acall-back interface so that effector subsystem 248 can inform a ruleengine when an action has completed. Rule engines 246 prevent aparticular rule from re-firing as long as any action invoked by the rulehas not finished. In general, rules contain notification calls andservice invocations though either may be disabled by configuration ofeffector subsystem 248. BLT 206 supplies initial system configurationdescriptions to seed each of rule engines 246.

In general, rule engines 246 analyze the events and discoverdiscrepancies between an expected state of the fabric and an actualstate. Each of rule engines 246 may be viewed as software that performslogical reasoning using knowledge encoded in high-level condition-actionrules. Each of rule engines 246 applies automated reasoning that worksforward from preconditions to goals defined by system administrator 20.For example, rule engines 246 may apply modus ponens inferences rules.

Rule engines 246 output requests to effector subsystem 248 which produceactions requests 212 for BLT 206 to resolve the discrepancies. Effectorsubsystem 248 performs all operations on behalf of analysis subsystem244. For example, event generator 250, task invocation module 252 andlogger 254 of effector subsystem 248 perform event generation, BLTaction invocation and rule logging, respectively. More specifically,task invocation module 252 invokes asynchronous operations within BLT206. In response, BLT 206 creates a new thread of control for each taskwhich is tracked by a unique task identifier (task id). Rules engine 246uses the task id to determine when a task completes and, if needed, tore-fire any rules that were pended until completion of the task. Thesetasks may take arbitrary amounts of time, and rules engine 246 tracksthe progress of individual task via change notifications 211 produced byBLT 206.

Event generator 250 creates persistent event records of the state ofprocessing of SLAI 204 and stores the event records within a database.Clients uses these event records to track progress and determine thecurrent state of the SLAI 204.

Logger 254 generates detailed trace information about system activitiesfor use in rule development and debugging. The logging level can beraised or lowered as needed without changing operation of SLAI 204.

FIG. 18 is a block diagram of an example working memory 270 associatedwith rule engines 246. In this example, working memory 270 includes aread-only first data region 272 that stores the expected state receivedfrom BLT 206. Data region 272 is read-only in the sense that it cannotbe modified in response to a trigger from sensor subsystem 240 or byrule engines 246 without notification from BLT 206.

In addition, working memory 270 includes a second data region 274 thatis modifiable (i.e., read/write) and may be updated by monitoringsubsystem 202 or used internally by rule engines 246. In general, dataregion 274 stores aggregated data representing the actual state of thefabric and can be updated by sensor subsystem 240 or by rule engines246. The actual state may consist of a set of property annotations thatcan be attached to objects received from BLT 206 or to objects locallydefined within a rule engine, such as local object 276.

FIG. 19 is a block diagram illustrating an example embodiment for BLT206. In this example, BLT 206 includes a set of one or more web servicedefinition language (WSDL) interfaces 300, a report generator 302, afabric administration interface service 304, a fabric view service 306,a user administration service 308, a task interface 311, a task manager312 and an event subsystem 315.

As described, BLT 206 provides the facilities necessary to create andadminister the organizational model (e.g., fabric, domains, tiers andnodes) implemented by distributed computing system 10. In general, BLT206 abstracts access to the persisted configuration state of the fabric,and controls the interactions with interfaces to fabric hardwareservices. As such, BLT 206 provides fabric management capabilities, suchas the ability to create a tier and replace a failed node. WSDLinterfaces 300 provide web service interfaces to the functionality ofBLT 206 that may be invoked by web service clients 313. Many of WSDLinterfaces 300 offered by BLT 206 allow administrator 20 to definegoals, such as specifying a goal of the expected state of the fabric. Asfurther described below, rule engines 246 within SLAI 204, in turn,invoke task manger 312 to initiate one or more BLT tasks to achieve thespecified goal. In general, web service clients 313 may be presentationlayer applications, command line applications, or other clients.

BLT 206 abstracts all interaction with physical hardware for web serviceclients 313. BLT 206 is an enabling component for autonomic managementbehavior, but does not respond to real-time events that either prevent agoal from being achieved or produce a set of deviations between theexpected state and the actual state of the system. In contrast, BLT 206originates goals for autonomic reactions to changing configuration andstate. SLAI 204 analyzes and acts upon these goals along with real-timestate changes. BLT 206 sets the goals to which SLAI 204 strives toachieve, and provides functionality used by the SLAI in order to achievethe goals.

In general, BLT 206 does not dictate the steps taken in pursuit of agoal since these are likely to change based on the current state ofdistributed computing system 10 and changes to configurable policy. SLAI204 makes these decisions based on the configured rule sets for thefabric and by evaluating monitoring data received from monitoringsubsystem 202.

Fabric administration service 304 implements a set of methods formanaging all aspects of the fabric. Example methods include methods foradding, viewing, updating and removing domains, tiers, nodes,notifications, assets, applications, software images, connectors, andmonitors. Other example methods include controlling power at a node, andcloning, capturing, importing, exporting or upgrading software images.Rule engines 246 of SLAI 204 may, for example, invoke these methods byissuing action requests 212.

Task manager 312 receives action requests 212 via task interface 311. Ingeneral, task interface 311 provides an interface for receiving actionrequests 212 from SLAI 204 or other internal subsystem. In response,task manager 312 manages asynchronous and long running actions that areinvoked by SLAI 204 to satisfy a goal or perform an action requested bya client.

Task manager 312 generates task data 310 that represents identificationand status for each task. Task manager 312 returns a task identifier tothe calling web service clients 313 or the internal subsystem, e.g.,SLAI 204, that initiated the task. Rule engines 246 and web serviceclients 313 use the task identifiers to track progress and retrieveoutput, results, and errors associated with achieving the goal.

In one embodiment, there are no WSDL interfaces 300 for initiatingspecific tasks. Rather, administrator 20 interacts with BLT 206 thoughgoal interfaces presented by WSDL interfaces 300 to define the goals forthe fabric. In contrast, the term task is used to refer to internalsystem constructs that require no user interaction. Tasks are distinct,low-level units of work that affect the state of the fabric. SLAI 204may combine tasks to achieve or maintain a goal state.

For example, administrator 20 can request configuration changes byeither adding new goals to an object or by modifying the attributes onexisting goals. Scheduled goals apply a configuration at a designatedtime. For example, the goals for a particular tier may specify theminimum, maximum, and target node counts for that tier. As a result, thetier can increase or decrease current node capacity by scheduling goalswith different configuration values.

This may be useful, for example, in scheduling a software image upgrade.As another example, entire domains may transition online and offline pera defined grid schedule. Administrator 20 may mix and match goals on acomponent to achieve configurations specific to the application andenvironment. For example, a tier that does not support autonomic nodereplacement would not be configured with a harvesting goal.

In some embodiments, goals are either “in force” or “out of force.” SLAI204 only works to achieve and maintain those goals that are currently inforce. SLAI 204 may applies a concept of “gravity” as the goalstransition from in force to out of force. For example, SLAI 204 maytransition a tier offline when an online goal is marked out of force.Some goal types may have prerequisite goals. For example, an imageupgrade goal may require as a prerequisite that a tier be transitionedto offline before the image upgrade can be performed. In otherembodiments, goals are always in force until modified.

SLAI 204 may automatically formulate dependencies between goals or mayallow a user to specify the dependencies. For example, a user mayrequest that a newly created tier come online. As a result of this goal,SLAI 204 may automatically direct task manager 312 to generate a task ofharvesting a target number of nodes to enable the tier. Generally, allgoals remain in-force by SLAI 204 until modified by BLT 206. In oneembodiment, each goal remains in-force in one of three states:Satisfied, Warning, or Critical depending on how successful SLAI 204 wasin achieving the goal at the time the event record was generated andstored.

In this manner, SLAI 204 controls the life cycle of a goal (i.e., thecreation, scheduling, update, deletion of the goal), and provides acommon implementation of these and other services such as timeout, eventwriting, goal conflicts, management of intra-goal dependencies, andtracking tasks to achieving the goals.

Progress toward a goal is tracked though event subsystem 315. Inparticular, event subsystem 315 tracks the progress of each in forcegoal based on the goal identifiers. Tasks executed to achieve aparticular goal produce events to communicate result or errors. Theevents provide a convenient time-based view of all actions andbehaviors.

Examples of goal types that may be defined by administrator 20 includesoftware image management goals, node allocation goals, harvest goals,tier capacity goals, asset requirement goals, tier online/offline goals,and data gathering goals.

In one embodiment, BLT 206 presents a task interface to SLAI 204 for thecreation and management of specific tasks in order to achieve thecurrently in force goals. In particular, rule engines 246 invoke thetask interface based on evaluation of the defined rule sets in view ofthe expected state and actual state for the fabric. Example taskinterfaces include interfaces to: reserve node resources; queryresources for a node slot; associate or disassociate an image with anode in a tier node slot; allocate, de-allocate, startup or shutdown anode; move a node to a tier; apply, remove or cycle power of a node;create a golden image; create or delete an image instance; and delete anactivity, node or tier.

Report generator 302 provides an extensible mechanism for generatingreports 314. Typical reports include image utilization reports thatcontain information with respect to the number of nodes running eachsoftware image, inventory reports detailing both the logical andphysical aspects of the fabric, and system event reports showing allevents that have occurred within the fabric. Report generator 302gathers, localizes, formats and displays data into report form forpresentation to the user. Report generator 302 may include one or moredata gathering modules (not shown) that gather events in accordance witha schedule and update an events table to record the events. The datagathering modules may write the events in XML format.

FIG. 20 is a block diagram illustrating one embodiment of a rule engine246 (FIG. 17). In the illustrated embodiment, rule engine 246 includes arule compiler 344 and an execution engine 346. Each of rules 342represents a unit of code that conforms to a rule language and expressesa set of triggering conditions and a set of implied actions. When theconditions are met, the actions are eligible to occur. The following isone example of a configuration rule:

rule checkTierLoad { Tier t where status != “overloaded”; LoadParameterp where app == t.app && maxload < t.load; } −> { modify t { status:“overloaded”; }; }When translated, this example rule marks a tier as overloaded if anapplication is implemented by the tier and the maximum specified loadfor the application has been exceeded. Another example rule foroutputting a notification that a tier is overloaded and automaticallyinvoking a task within BLT 206 to add a node is:

rule tierOverloadNotify { Tier t where status == “overloaded”; } −> {notify “Tier: ” + t + “is overloaded.”; BLT.addNode(f); }

Rule compiler 344 compiles each of rules 344 and translates matchconditions of the rules into a discrimination network that avoidsredundant tests during rule execution. Execution engine 346 handles ruleadministration, object insertion and retrieval, rule invocation andexecution of rule actions. In general, execution engine 346 firstmatches a current set of rules 342 against a current state of workingmemory 348 and local objects 350. Execution engine 346 then collects allrules that match as well as the matched objects and selects a particularrule instantiation to fire. Next, execution engine 346 fires (executes)the instantiated rule and propagates any changes to working memory 348.Execution engine 346 repeats the process until no more matching ruleinstantiations can be found.

Firing of a rule typically produces a very small number of changes toworking memory 348. This allows sophisticated rule engines to scale byretaining match state between cycles. Only the rules and ruleinstantiations affected by changes are updated, thereby avoiding thebulk of the matching process. One exemplary algorithm that may be usedby execution engine 346 to handle the matching process includes the RETEalgorithm that creates a decision tree that combines the patterns in allthe rules and is intended to improve the speed of forward-chained rulesystem by limiting the effort required to re-compute a conflict setafter a rule is fired. One example of a RETE algorithm is described inForgy, C. L.: 1982, ‘RETE: a fast algorithm for the many pattern/manyobject pattern match problem’, Artificial Intelligence 19, 1737, herebyincorporated by reference. Other alternatives include the TREATalgorithms, and LEAPS algorithm, as described by Miranker, D. P.:‘TREAT: A New and Efficient Match Algorithm for AI Production Systems’.ISBN 0934613710 Daniel P. Miranker, David A. Brant, Bernie Lofaso, DavidGadbois: On the Performance of Lazy Matching in Production Systems. AAAI1990: 685692, each of which is hereby incorporated by reference.

FIG. 21 is a block diagram illustrating an alternative embodiment ofcontrol unit 12 (FIG. 15). In this embodiment, control unit 12 operatessubstantially as described above, but includes an application matrix350, an application governor 352, a configuration processor 354, and anapplication service level automation infrastructure (“application SLAI”)358. As described below, application matrix 350, application governor352, configuration processor 354, and application SLAI 358 provide aframework that allows control unit 12 to autonomically control thedeployment, execution and monitoring of applications across applicationnodes 14 of distributed computing system 10.

Application matrix 350 contains all the information needed by controlunit 12 to interact with one or more applications or application serversand provide autonomic control over a set of applications. Specifically,application matrix 350 provides a logical definition for deploying andcontrolling the set of applications to one or more tiers withindistributed computing system 10. In one embodiment, application matrix350 is an electronic document that conforms to a data descriptionlanguage, e.g., the extensible markup language (XML). Application SLAI358 includes an application rules engine 355 dedicated to processingapplication-level rules, i.e., forward-chaining rules to provideautonomic control over the applications defined within applicationmatrix 350. Like rules engine 246, application rules engine 355 containsa rule compiler, an execution engine, and a working memory. In order togive effect to changes in application matrix 350, application SLAI 358automatically updates application rules engine 355 and monitoringsubsystem 202. In particular, application matrix 350 sends an alertwhenever application matrix 350 changes. In response to this alert,application SLAI 358 captures application-specific attributes fromapplication matrix 350. Specifically, application SLAI 358 capturesconfiguration attributes and rule attributes contained in applicationmatrix 350. Application SLAI 358 transfers any new rule attributes tothe working memory of application rules engine 355 to provide autonomiccontrol over the deployment, monitoring and the execution of theapplications defined within application matrix 350. In addition,application SLAI 358 updates monitoring subsystem 202 to collectinformation required to control the applications In this manner,administrator 20 may continue to add new application definitions andconfigurations to application matrix 350 after distributed control node12 has started.

As described in further detail below, configuration processor 354 is asoftware module that generates an application matrix entry based on anapplication definition and application configuration properties of a“staged” application. A staged application is an application that hasbeen deployed in a staging environment and customized for subsequentdeployment within distributed computing system 10. After creating theapplication matrix entry, administrator 20 may insert the applicationmatrix entry into application matrix 350.

Configuration processor 354 is “pluggable.” That is, administrator 20can “plug in” different implementations of configuration processor 354as needed. For example, administrator 20 may need to “plug in” adifferent implementation of configuration processor 354 to handleapplications that do not use an application server.

Application governor 352 is a software engine that performsapplication-level actions based on requests received from applicationrules engine 355. In this manner, BLT 206 effects fabric-level actions(e.g., deployment and monitoring of nodes and images) based on requestfrom fabric-level rules engines 246 (FIG. 17), while matrix governor 352performs application-level actions (e.g., deployment and monitoring ofapplications) based on requests from application rules engine 355.

Application governor 352 uses application matrix 350 as a source ofparameters when carrying out the application-level operations requestedby application rules engine 355. For example, application rules engine355 may detect that a node to which the application is not deployed isready for use by the application. As a result, application rules engine355 directs application governor 352 to handle the details of deployingthe application to the node. In turn, application governor 352 accessesapplication matrix 350 to retrieve application-specific parametersnecessary to deploy the application. Storing application-specificparameters in application matrix 350 allows the application-specificparameters to change without having to recompile the rules withinworking memory of application rules engine 355.

Application governor 352 performs a similar procedure to undeploy anapplication. That is, application rules engine 355 may detect that asecond application needs to use a node more than a first applicationthat is currently deployed to the node. In this situation, applicationrules engine 355 sends an instruction to application governor 352 toundeploy the first application and deploy the second application. Tocarry out this instruction, application governor 352 accessesapplication matrix 350 to discover configuration parameters of bothapplications. Application governor 352 then uses the discoveredconfiguration parameters to communicate with the applications.

Like configuration processor 354, application governor 352 is also“pluggable.” That is, administrator 20 can easily install or removeimplementations of application governor 352 depending on thecircumstances. Because application governor 352, and configurationprocessor 354 represent interchangeable, plug-in modules, the otherparts of control unit 12 and system 10, including application rulesengine 355, can remain generic and application neutral while providingautonomic control over distributed computing system 10.

FIG. 22 provides a conceptual view of an exemplary application matrix350. Although application matrix 350 is typically represented in anencoded, electronic document (e.g., an XML document), FIG. 22 provides aconceptual view for ease of illustration.

In this example, application matrix 350 contains seven columns and tworows. Each row represents a different application entry for deploymentwithin distributed computing system 10. In FIG. 22, only the first entryis shown in detail.

Each of the columns represents a different category of elements thatmake up an application's logical definition. In this example, thecolumns include:

(1) an application column 360 that includes elements generally relatedto the deployment of the application,

(2) an application nodes column 362 that contains elements related tothe tier node slots to which the application may be assigned,

(3) a services column 364 that contains elements related to theexecutable services launched when the application is deployed,

(4) a node monitor values column 366 that contains elements related toattributes of the nodes that are to be monitored after the applicationis deployed to that node,

(5) a service monitored attributes column 368 that contains elementsrelated to attributes of the services that are to be monitored after theapplication is deployed,

(6) a service levels column 370 that contains elements related toattributes for use when constructing rules to monitor execution of theservices, and

(7) a deployment constraints column 372 that contains elements relatedto attributes for use when constructing rules to control deployment ofthe application. Different types of applications may have differentelements in each column, and different numbers of columns.

In the example of FIG. 22, application matrix 350 contains twoapplications 360 “DataDomain” 374 and “PortalDomain” 376. DataDomainapplication 374 has eleven attributes that define how control node 12accesses and launches the application. For instance, the “adminIP” and“adminPort” attributes instruct governor 352 as to which the server andport hosts the administrative part of the logically defined application.Other attributes like “maxNodes” and “minNodes” instruct applicationrules engine 355 to run the application no less than minNodes and nomore than maxNodes. Applications other than application 374 may havedifferent numbers or types of attributes. In XML format, the attributesof application 374 may appear as follows:

<WebServerDomain name=“DataDomain” adminIP=“172.31.64.201”adminPort=“1100” adminTier=“Web Admin” clusterName=“PathCluster”expectedStartupDelay=“120” loadDelay=“120” maxNodes=“2” minNodes=“1”nodeManagerPort=“5811” nodeTier=“Web App” >

In addition to these attributes, application 374 contains a series ofelements (columns 362-372). In general, application nodes 362 contain alist of all of the available tier-node slots to which control node 12may deploy application 374. In this example, two tier-node slots arespecified. In XML, managed servers 362 appears as:

<ManagedServers IP=“172.31.64.201” name=“managedServer_0”state=“STOPPED” /> <ManagedServers IP=“172.31.64.201”name=“managedServer_1” state=“STOPPED” />

Each services 364 element identifies a service that control node 12launches when deploying application 374 on a given application node. Aservice element comprises a service name and a path to a file containingthe executable service. Governor 352 uses the path to locate and launchthe service. For example, the following XML code indicates that governor352 must access the file at “/lib/worklistApp/worklistApp.ear”.

<services name=“Worklist User Interface”path=“/lib/worklistApp/worklistApp.ear” />

Node Monitored Values 366 elements represent characteristics for use inconstructing rules for monitoring nodes to which the applications aredeployed. Similarly, Service Monitored Values 368 elements representcharacteristics for use in constructing rules for monitoring servicesthat are launched once the application is deployed. In this example, a“nodeMonitoredValues” element defines characteristics of a particularnode that are to be monitored. For instance, the amount of free memoryin a node is one example of a characteristic listed as a“nodeMonitoredValues” element. On the other hand, a“serviceMonitoredValues” element is specific attribute of a service thatis to be monitored. For example, the number of pending operatingsystem-level requests for the service, the number of idle threads, etc.,could be service monitored values. In a XML rendition of application,matrix 350, node monitored values and service monitored values couldappear as follows:

<nodeMonitoredValues name=“Load5Average” /> <nodeMonitoredValuesname=“PercentMemoryFree” /> <serviceMonitoredValuesname=“PendingRequests” /> <serviceMonitoredValuesname=“ExecuteThreadIdleCount” /> <serviceMonitoredValuesname=“ExecuteThreadTotalCount” />

Deployment constraint elements 372 specify characteristics of a nodeunder which application rules engine 355 should (or should not) deploy aservice to the node. In this example, a deployment constraint elementhas five attributes: “attribute”, “expression”, “frequency”,“maxThreshold”, “minThreshold”, and “period.” The “attribute” attributenames the deployment constraint. The “expression” attribute specifies anarithmetic expression manipulating a monitored value. For example, theexpression could be “PercentMemoryFree*100”, meaning monitor the valueof the “PercentMemoryFree” node monitored value multiplied by 100. The“expression” attribute may specify one or more node monitored values.The “frequency” attribute informs application rules engine 355 howfrequently to check the monitored value. The “maxThreshold” attributetells application rules engine 355 to invoke a rule when the value ofthe expression exceeds the value specified by the “maxThreshold”attribute. Similarly, the “minThreshold” attribute tells applicationrules engine 355 to invoke the rule when the value of the expressiondrops below the value specified by the “minThreshold” attribute.Finally, the “period” attribute informs application rules engine 355 ofthe period over which to collect monitored value. For example, adeployment constraint element may specify that application rules engine355 should monitor the PercentMemoryFree attribute of a node every 15seconds for 60 seconds. If the value of PercentMemoryFree*100 shoulddrop below 1.0 (i.e. 1% of memory free) for 60 seconds, then applicationrules engine 355 should not deploy the application to that node. In XML,this rule would be represented as:

<deploymentConstraints attribute=“FreeMemory”expression=“PercentMemoryFree*100” frequency=“15” maxThreshold=“− 1.0”minThreshold=“1.0” period=“60” />

Service level elements 370 have the same five attributes as deploymentconstraints elements: “attribute”, “expression”, “frequency”,“maxThreshold”, “minThreshold”, and “period”. However, the “expression”attribute deals with service monitored attributes rather than nodemonitored attributes. For example, a service level element may specifythat application rules engine 355 check the “pendingRequest”service-monitored attribute every 15 seconds for 30 seconds. Then, ifthere are more than 20 pending requests for more than 30 seconds,application rules engine 355 should take the action of starting a newapplication. On the other hand, if there are fewer than 5 pendingrequests for 30 seconds, application rules engine 355 enables the actionto remove the application to free up space on a node. Such a servicelevel element could be represented as:

<serviceLevels attribute=“PendingRequests” expression=“PendingRequests”frequency=“15” maxThreshold=“20.0” minThreshold=“5.0” period=“30” />

Put together, an XML representation of an application matrix logicallydefining a single application for deployment within autonomicallycontrolled distributed computing system 10 may appear as follows:

<?xml version=“1.0” encoding=“UTF-8” standalone=“yes” ?><appMatrixRegister> <WebServerDomain adminIP=“172.31.64.201”adminPort=“1100” adminTier=“Web Admin” clusterName=“PathCluster”expectedStartupDelay=“120” loadDelay=“120” maxNodes=“2” minNodes=“1”name=“DataDomain” nodeManagerPort=“5811” nodeTier=“Web App”><ManagedServers IP=“172.31.64.201” name=“managedServer_0”state=“STOPPED” /> <ManagedServers IP=“172.31.64.201”name=“managedServer_1” state=“STOPPED” /> <applications name=“AIDesign-time” path=“/lib/ai-designtime.ear” /> <applications name=“SystemEJBs” path=“/lib/ejbs.ear” /> <applications name=“Worklist Worker UserInterface” path=“/lib/worklist/worklist.ear” /> <applicationsname=“DBMS_ADK” path=“/lib/DBMS_ADK.ear” /> <applications name=“UserApp”path=“/user_projects/domains/userApp.ear” /> <nodeMonitoredValuesname=“Load5Average” /> <nodeMonitoredValues name=“PercentMemoryFree” /><serviceMonitoredValues name=“PendingRequests” /><serviceMonitoredValues name=“ExecuteThreadIdleCount” /><serviceMonitoredValues name=“ExecuteThreadTotalCount” /><deploymentConstraints attribute=“LoadAverage” expression=“Load5Average”frequency=“15” maxThreshold=“4.0” minThreshold=“−1.0” period=“15” /><deploymentConstraints attribute=“FreeMemory”expression=“PercentMemoryFree*100” frequency=“15” maxThreshold=“−1.0”minThreshold=“1.0” period=“60” /> <serviceLevelsattribute=“BusyThreadPercentage” expression=“(ExecuteThreadTotalCount−ExecuteThreadIdleCount)*100/ExecuteThreadTotalCount” frequency=“15”maxThreshold=“20.0” minThreshold=“5.0” period=“30” /> <serviceLevelsattribute=“PendingRequests” expression=“PendingRequests” frequency=“15”maxThreshold=“20.0” minThreshold=“5.0” period=“30” /> </WebserverDomain></appMatrixRegister>

FIG. 23 is a flowchart illustrating an exemplary series of general stepsthat are performed to add an application to application matrix 350 inaccordance with the principles of this invention. Administrator 20 firststages the application within a staging environment including deployingthe application on a desired image, creating a domain, specifying anyservices and external system connectivity (e.g., connections todatabases, queues) (380).

During this process, administrator 20 directs the application togenerate an application definition file that represents anapplication-specific configuration based on the environment specified bythe administrator. The application definition file contains informationspecific to an installation instance of the application. For example,the application definition file typically specifies the locations(paths) for all software components of the application as staged withinthe staging environment, a list of files to execute, connectivityinformation for the application, and other information that may berecorded by the configured application.

After staging the application, administrator 20 defines a set ofapplication configuration properties that specify desired behavior ofthe application within distributed computing system 10 (382). Examplesof such application configuration properties include a minimum number ofnodes, minimum resource requirements for a node, deployment timinginformation, network addresses of tier node slots that are able toexecute the application and other properties.

Next, administrator 20 directs configuration processor 354 to generatean application entry for the application using the applicationdefinition and the application configuration properties (384). Theapplication entry contains configuration attributes used by applicationgovernor 352 to interact with the application. In addition, theapplication entry contains rule attributes used by application rulesengine 355 that define how control node 12 monitors the deployment andexecution of the application within distributed computing environment10.

After configuration processor 354 creates the application entry,administrator 20 may modify the application entry (386). In particular,administrator 20 may update start scripts or shell scripts for theapplication due to path changes between the staging environment anddistributed computing system 10.

Once administrator 20 has finished modifying the application entry,administrator 20 inserts the application entry into application matrix350 (388). Because application matrix 350 detects that it has changed,application matrix 350 sends an alert to application SLAI 358 (390).

In response to the alert, application SLAI 358 may update applicationrules engine 355 and monitoring subsystem 202 (392). In particular,application SLAI 358 automatically scans application matrix 350. Ifapplication SLAI 358 detects new rule attributes, application SLAI 358creates local objects reflecting the new rule attributes in the workingmemory of application rules engine 355. In addition, if application SLAI358 detects new monitored values, application SLAI 358 updatesmonitoring subsystem 202 to add new monitoring collectors 224 (FIG. 16).

After application SLAI 358 updates application rules engine 355 andmonitoring subsystem 202, control node 12 has autonomic control over thedeployment of applications to tiers based on the configuration ofapplication matrix 350 (394). For example, control node 12 deploysimages, deploys applications, monitors the state of nodes and theexecution of the applications, and applies tier-level rules as well asapplication-specific rules. Application SLAI 358 continues to listen foralerts from application matrix 350.

FIG. 24 is a block diagram illustrating an exemplary embodiment of anautonomically monitored distributed computing system 400. Distributedcomputing system 400 may be distributed computing system 10. That is,system status manager provides autonomous adjustments to tolerancelevels used by control node 406 when monitoring and autonomicallycontrolling of application nodes 408. Control node 406 may representcontrol node 12 and application nodes 408A through 408N (collectively,application nodes 408) may represent application nodes 14 of distributedcomputing system 10 described in detail above.

In some instances, autonomic management systems may have difficultydistinguishing between genuine failures and perceived failures ofapplication nodes 408. For instance, an autonomic management system mayfalsely perceive a failure of an application node when the applicationnode is experiencing uncommon load or decreased system response time.Because of the difficulty in distinguishing genuine from falselyperceived failures, autonomic management systems may respondaggressively to any perceived failure. For example, a slow networkresponse time could cause an autonomic management system to think that anode has failed. The difficulty in distinguishing between actual andperceived failures may arise from the fact that many autonomicmanagement systems evaluate status of a single entity, such as a node ora switch, and determine normal or failure state based on informationfrom just that entity. Evaluating status based on information from asingle application node may lead to erroneous decisions because factorsreported by other entities may affect the status information of thatentity.

In autonomic monitoring system 400, control node 406 generates a failurenotification when the control node perceives a failure or conditionbased on one or more fault tolerance parameters. When a system statusmanager 402 receives the failure notification, system status manager 402considers a state of all of application nodes 408 when determiningactual versus false positive failures. System status manager 402assesses monitoring data from other services related to the failingcomponent before deciding on the component's health and status. Forexample, system status manager 402 may emulate the actions of a humansystem administrator by continuously evaluating monitors on allcomponents of autonomically monitored system 400 and making inferencesbased on the state of autonomically monitored system 400 as a whole.

System status manager 402 uses the initial status of the singleunderperforming node as a starting point to begin collecting additionalhealth information from other components to determine the root cause ofa degraded system. Multiple system status managers may work in parallelto evaluate different potential fault paths within the environment todiagnose the problem. The different potential fault paths may beorganized in a backward chaining mode.

System status manager 402 makes health and status decisions forindividual components based on historical information as well aspre-programmed responses to known failure scenarios. In the case ofperiodically polled monitoring data, when system status manager 402recognizes a failure of a single application node, system status manager402 evaluates the state of other application nodes in autonomicallymonitor system 400 that could affect the perceived state of the failingapplication node. If system status manager 402 determines the root causeof the failure is not a genuine failure, but a service issue, systemstatus manager 402 may increase a fault tolerance parameter for theapplication node based on the analysis of all the components inautonomically monitored system 400.

For example, system status manager 402 may increase the time betweenattempts to connect to the failing component to collect data if thenetwork traffic monitor indicates that utilization of the component isrising. In such situations monitoring may decrease the applicationnode's use of degraded system resources. This change in retry intervalwould result in a reduction of network load attributable to monitoring.

Depending on the root cause of the perceived component failures, systemstatus manager 402 may cause control node 406 to essentially ignore ordowngrade monitoring failures during periods of high system serviceutilization. Instead of adjusting the monitoring retry interval for eachmanaged component, control node 406 ignores or downgrade failures forall components—or a subset of identified components—until the systemresources return to normal utilization.

This rule-based, autonomic response to failure response may result in asystem that is less susceptible to the impact of system resourcecapacity issues, and that provides a more accurate view of the health ofcontrol node 406 and the components control node 406 manages. Instead ofenforcing hard, inflexible rules on response time and retry intervalsfor a monitored component, autonomically monitored system 400 uses thoserules as guidelines for monitoring system resources and components andresponds to real world situations without spurious failures caused byrigid rules.

In practice, system status manager 402 may comprises one or moresoftware module having instructions stored within a computer-readablestorage medium and executing within an operating environment provided bycontrol node 406 or other processing node.

FIG. 25 is a block diagram illustrating an exemplary embodiment ofsystem status manager 402 (FIG. 24). When a monitoring component 410 ofsystem status manager 402 has registered with control node 406 forfailure notification, monitoring component 410 receives the notificationand passes the notification to a Monitoring Rule Engine (MRE) 412.

MRE 412 contains a backward chaining rule set designed to perform rootcause analysis when control node 406 detects a component failure. When arule is fired, MRE 412 collects information from monitoring component410 (if information is available), or sends an action request to a taskmanager 414 to have the information collected by monitoring component410. Task manager 414 provides a pluggable infrastructure for adding oraugmenting actions required to complete a task.

As MRE 412 receives required information, MRE 412 attempts to determineif the original component failure is a genuine failure or a side effectof a degraded or failed system administration service. If MRE 412determines that the detected failure is a genuine component failure, MRE412 does nothing. However, if the failure is a side effect of a systemadministrative service, MRE 412 determines the scope of the impact ofthe failure and sends an action request to task manager 414. The actionrequest contains a set of operations to be performed by control node406. The set of operations may include modifications to monitoringsettings for the affected components, or instructions to control node406 to ignore monitoring settings for the set of components. Taskmanager 414 is responsible for instituting the action request passed totask manager 414 by MRE 412.

Various embodiments have been described. For example, an embodiment hasbeen described in which a system status manager is a separate componentfrom a control node. Nevertheless, the following claims encompass manyalternative embodiments. For example, functionality of a system statusmanager may be integrated into a control node. These and otherembodiments are within the scope of the following claims.

1. A method comprising: receiving monitoring data from a plurality ofapplication nodes interconnected via a communication network; receivinga failure notification from an autonomic management system when theautonomic management system perceives a failure of a first applicationnode based on a fault tolerance parameter; executing an autonomoussystem status manager to analyze the monitoring data from theapplication nodes to determine whether the perceived failure of thefirst application node is genuine; and autonomically adjusting the faulttolerance parameter with the autonomous system status manager when theperceived failure of the first application is determined not to begenuine.
 2. The method of claim 1, wherein analyzing the monitoring datacomprises autonomously determining whether a degree of computationalservice utilization exceed a threshold and caused the autonomicmanagement system to incorrectly perceive the failure of the firstapplication node.
 3. The method of claim 2, wherein the fault toleranceparameter is a measure of time between attempts to connect to the firstnode; and wherein determining whether a service issue caused theautonomic management system to perceive the failure comprises increasingthe measure of time between attempts when utilization of the first nodeis rising.
 4. The method of claim 1, wherein adjusting the faulttolerance parameter comprises causing the autonomic management system toignore monitoring failures during a period of high system serviceutilization.
 5. The method of claim 1, wherein analyzing the monitoringdata comprises using historical information and pre-programmed responsesto known failure scenarios to analyze the state of the applicationnodes.
 6. The method of claim 1, wherein analyzing the monitoring datacomprises using a backward chaining rule set to analyze the monitoringdata.
 7. The method of claim 1, wherein adjusting the fault toleranceparameter comprises modifying monitoring settings of the first node. 8.A distributed computing system comprising: a plurality of applicationnodes interconnected via a communications network; an autonomicmanagement system to provide autonomic control of the application nodes,wherein the autonomic management system monitors the application nodesto perceive a failure of a first node of the application nodes based ona fault tolerance parameter; and a system status manager to autonomouslyadjust the fault tolerance parameter based on an analysis of a state ofall of the application nodes.
 9. The distributed computing system ofclaim 8, wherein the system status manager adjusts the fault toleranceparameter based when a service issue causes the autonomic managementsystem to detect the failure.
 10. The distributed computing system ofclaim 9, wherein the fault tolerance parameter is a measure of timebetween attempts to connect to the first node; and wherein system statusmanager increases the measure of time between attempts when utilizationof the first node is rising.
 11. The distributed computing system ofclaim 8, wherein the system status manager causes the autonomicmanagement system to ignore monitoring failures during a period of highsystem service utilization.
 12. The distributed computing system ofclaim 8, wherein the system status manager uses historical informationand pre-programmed responses to known failure scenarios to analyze thestate of all of the application nodes.
 13. The distributed computingsystem of claim 8, wherein the system status manager comprises amonitoring rule engine (MRE) to perform the analysis when autonomicmanagement system detects the failure, wherein the monitoring ruleengine comprises a backward chaining rule set.
 14. The distributedcomputing system of claim 13, wherein the MRE generates an actionrequest based on the analysis; and wherein the system status managercomprises a task manager to institute the action request in thedistributed computing system.
 15. The distributed computing system ofclaim 14, wherein the action request includes modification to monitoringsettings of the first node.
 16. The distributed computing system ofclaim 14, wherein the action request includes instructions to theautonomic management system to ignore monitoring settings for the firstnode.
 17. A computer-readable medium comprising instructions, theinstruction causing a processor to: receive monitoring data from aplurality of application nodes interconnected via a communicationnetwork; receive a failure notification from an autonomic managementsystem when the autonomic management system perceives a failure of afirst application node based on a fault tolerance parameter; and analyzethe monitoring data from all of the application nodes to determinewhether the perceived failure of the first application node is genuine;and adjust the fault tolerance parameter when the perceived failure ofthe first application is not genuine.